如果发起者受到威胁/故意想要作弊，TLS 是否可以防止重放攻击 [英] Does TLS prevents replay attacks if the originator is compromised / intentionally wants to cheat

问题描述

背景:我正在开发一个使用持久 TCP 连接到后端服务器的移动应用程序(在线聊天).在之前的版本中，我们使用了众所周知的加密方案来保护有效负载并使用共享密钥进行签名.这为防止数据篡改和逆向工程提供了足够的保护.但是流量仍然容易受到重放攻击:有人可以捕获网络流量并重放它，服务器会接受请求，因为它不知道它是真实的还是重放的.为了解决这个问题，我们引入了时间戳和随机数，以防止重放攻击.

Background: I'm working on a mobile application (online chat) that use persistent TCP connections to a backend server. In the previous version, we used a well-known encryption scheme to protect the payload and sign using a shared secret key. This provided sufficient protection against data tampering and reverse engineering. But the traffic was still susceptible to replay attacks: someone can capture the network traffic and replay it and server would accept the requests since it had no idea whether it was real or replayed. To counter this, we introduced timestamps and nonces which provided protection against replay attacks.

一切都很好.后来决定使用 TLS(传输层安全)来保护客户端和服务器之间的所有通信.实施了 TLS 并为防止中间人攻击提供额外的保护层，我们将服务器的公共证书固定在客户端上.

All well and good. A decision was later made to use TLS (Transport Layer Security) to protect all communication between clients and servers. TLS was implemented and to provide an extra layer of protection against Man-in-the-Middle attacks, we pinned the public certificate of the server on clients.

这让我想到了一个问题:是否仍然需要使用自定义加密和防止重放攻击，因为 TLS 已经提供了针对这些攻击的保护?在我的研究中，我发现 TLS 在传输过程中提供保护，即防止中间人，但是如果发起者本身想要欺骗系统并修改有效负载或重放流量怎么办?TLS 是否可以防止故意欺骗者试图以某种方式拦截其操作系统网络层中的流量?我的理解是 TLS 提供端到端加密，但我怀疑 TLS 流量实际上可以重播，如果发起者希望的话.

Which brings me to the question: is it still necessary to use custom encryption and guard against replay attacks since TLS already provides protection against these? In my research, I found that TLS provides protection during transmission i.e. prevents man in the middle but what if the originator itself wants to cheat the system and modify payload or replay traffic? Does TLS protect against an intentional cheater trying to somehow intercept the traffic in the network layer of their OS? My understanding was that TLS provides end-to-end encryption but I have a suspicion that TLS traffic could, in fact, be replayed if the originator wishes to.

我也知道基于内存的攻击，其中攻击者会修改设备上的内存以修改有效负载(甚至可能是记录和重放).但即使是我们的自定义加密 + 重放防护也无法防范这些攻击.

I'm also aware of memory-based attacks where the attacker would modify the memory on the device this modifying payload (may be even record and replay.) But even our custom encryption + replay guard won't protect against these.

来自:https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#好处

"TLS 还提供了两个通常被忽视的额外好处:完整性保证和重放预防.TLS 通信流包含内置控件，以防止篡改加密数据的任何部分.此外，控件还内置-以防止稍后重放捕获的 TLS 数据流.

"TLS also provides two additional benefits that are commonly overlooked; integrity guarantees and replay prevention. A TLS stream of communication contains built-in controls to prevent tampering with any portion of the encrypted data. In addition, controls are also built-in to prevent a captured stream of TLS data from being replayed at a later time.

需要注意的是，TLS 对传输过程中的数据提供了上述保证.TLS 不会为静态数据提供任何这些安全优势.因此，必须添加适当的安全控制措施来保护应用程序或数据存储中处于静止状态的数据."

It should be noted that TLS provides the above guarantees to data during transmission. TLS does not offer any of these security benefits to data that is at rest. Therefore appropriate security controls must be added to protect data while at rest within the application or within data stores."

推荐答案

TLS 仅保护传输，因此它仅提供防止修改或重放加密 数据的保护.它不能防止在加密之前或解密之后对数据进行任何类型的修改或重放.通过 TLS 连接再次发送相同的数据实际上是完全有效的.

TLS only protects the transport and thus it provides protection against modifying or replaying of the encrypted data only. It does not protect against any kind of modifications or replaying of the data before the encryption or after decryption. Sending the same data again over a TLS connection is actually perfectly valid.

但是，您用来检测重放的随机数和时间戳也不能防止修改或重放.发送方仍然可以使用相同的数据，但使用新的随机数和新的时间戳保护"这些数据.只要攻击者能够修改客户端代码，就不可能防范这种基于客户端的攻击，如果客户端在攻击者拥有的系统上运行，通常就是这种情况，例如智能手机游戏智能手机的主人喜欢作弊.

But, the nonce and timestamp you use to detect replay do not protect against modification or replaying too. The sender can still use the same data but "protect" these with the new nonce and the new timestamp. It is simply not possible to protect against this kind of client based attacks as long as the attacker is able to modify the client code which is usually the case if the client runs on a system owned by the attacker like in case of a smartphone game where the owner of the smartphone likes to cheat.

这篇关于如果发起者受到威胁/故意想要作弊，TLS 是否可以防止重放攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！